المهارات chatkit-widget سجل التدقيق
📦

سجل التدقيق

chatkit-widget - 7 عمليات التدقيق

إصدار التدقيق 7

الأحدث مخاطر عالية

Jun 28, 2026, 11:57 AM

Static analysis found many high-severity patterns, but most weak-crypto, shell-backtick, and reconnaissance alerts are false positives caused by regex use and Markdown examples. No prompt injection or confirmed malicious intent was found, but the sample API proxy can expose a server bearer token through an unauthenticated forwarding route, so publication should wait for a safer implementation.

2
الملفات التي تم فحصها
804
الأسطر التي تم تحليلها
11
النتائج
codex
دقّقه

مشكلات عالية المخاطر (1)

Secret-Bearing API Proxy Lacks Authentication
The backend proxy example reads a server-side ChatKit secret and forwards client-supplied endpoint, method, and payload values to the ChatKit API. The sample does not show authentication, role checks, rate limiting, or strict operation mapping before attaching the bearer token, so a deployed copy could let unauthorized users spend or abuse the server credential.
مشكلات متوسطة المخاطر (2)
Remote Widget Script Loaded Without Integrity Controls
The client example builds a script URL from configuration and appends it to the page without an integrity check or a strict host allowlist. This is a common widget pattern, but it increases supply-chain risk if the endpoint is changed or compromised.
User-Controlled Proxy Method Is Too Broad
The proxy accepts the HTTP method from the request body and only checks whether the endpoint starts with an allowed prefix. A safer pattern would map named server actions to fixed upstream methods and paths.
مشكلات منخفضة المخاطر (4)
Weak Cryptography Alerts Are False Positives
The reported weak cryptographic algorithm matches in scripts/verify.py are regex parsing and string validation, not hashing, encryption, or signature verification. Similar hits in SKILL.md are Markdown text, colors, JSX paths, or plain examples rather than cryptographic APIs.
Shell Backtick Alerts Are Markdown Formatting
The Ruby or shell backtick detections occur inside Markdown inline-code spans, tables, and fenced examples. They are documentation formatting, not executed backtick commands.
Environment Variable Examples Are Mostly Legitimate Configuration
The environment variable detections are primarily documentation for public ChatKit identifiers, a server secret, and API base URL configuration. This is expected for a widget integration skill, although the server secret becomes risky in the proxy pattern described above.
System Reconnaissance Alerts Are Benign Validation Output
The system reconnaissance detections point to validation and error output rather than host inspection or data collection. No evidence found of commands that enumerate the system, network, users, or files beyond checking SKILL.md and scripts/verify.py existence.

عوامل الخطر

الأنماط المكتشفة

Network Request With Server CredentialCritical Heuristic Combination Is Partly Confirmed But Not Malicious

إصدار التدقيق 6

آمن

Jan 21, 2026, 04:45 PM

This is an instructional documentation skill for ChatKit widget integration. Static analyzer flagged 109 potential issues, but all are false positives from misinterpreting markdown code blocks and documentation content. The verify.py script is a legitimate validation tool using regex. No actual security risks identified.

3
الملفات التي تم فحصها
1,871
الأسطر التي تم تحليلها
0
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

إصدار التدقيق 5

مخاطر متوسطة

Jan 16, 2026, 05:26 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

3
الملفات التي تم فحصها
1,017
الأسطر التي تم تحليلها
4
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

الأنماط المكتشفة

Weak cryptographic algorithmSystem reconnaissanceHardcoded URLGeneric API/secret keysEnvironment file accessDynamic import() expressionRuby/shell backtick executionFetch API callEnvironment variable access (dot notation)Environment variable object[HEURISTIC] DANGEROUS COMBINATION: Code execution + Network + Credential access[HEURISTIC] SUSPICIOUS COMBINATION: Filesystem + Credentials + Network

إصدار التدقيق 4

مخاطر متوسطة

Jan 16, 2026, 05:26 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

3
الملفات التي تم فحصها
1,017
الأسطر التي تم تحليلها
4
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

الأنماط المكتشفة

Weak cryptographic algorithmSystem reconnaissanceHardcoded URLGeneric API/secret keysEnvironment file accessDynamic import() expressionRuby/shell backtick executionFetch API callEnvironment variable access (dot notation)Environment variable object[HEURISTIC] DANGEROUS COMBINATION: Code execution + Network + Credential access[HEURISTIC] SUSPICIOUS COMBINATION: Filesystem + Credentials + Network

إصدار التدقيق 3

مخاطر منخفضة

Jan 10, 2026, 10:57 AM

Pure documentation skill containing markdown guidance and a Python validation script. The verify.py script only reads SKILL.md for validation purposes and has no network, command execution, or sensitive data access capabilities.

2
الملفات التي تم فحصها
804
الأسطر التي تم تحليلها
2
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

عوامل الخطر

⚡ يحتوي على سكربتات (1)
📁 الوصول إلى نظام الملفات (1)

إصدار التدقيق 2

مخاطر منخفضة

Jan 10, 2026, 10:57 AM

Pure documentation skill containing markdown guidance and a Python validation script. The verify.py script only reads SKILL.md for validation purposes and has no network, command execution, or sensitive data access capabilities.

2
الملفات التي تم فحصها
804
الأسطر التي تم تحليلها
2
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

عوامل الخطر

⚡ يحتوي على سكربتات (1)
📁 الوصول إلى نظام الملفات (1)

إصدار التدقيق 1

مخاطر منخفضة

Jan 10, 2026, 10:57 AM

Pure documentation skill containing markdown guidance and a Python validation script. The verify.py script only reads SKILL.md for validation purposes and has no network, command execution, or sensitive data access capabilities.

2
الملفات التي تم فحصها
804
الأسطر التي تم تحليلها
2
النتائج
claude
دقّقه
لم تُكتشف مشكلات أمنية

عوامل الخطر

⚡ يحتوي على سكربتات (1)
📁 الوصول إلى نظام الملفات (1)